2

Very similar issue was posted here, I do not believe they are the same.

IBM WebSphere Application Server SSO sets REMOTE_USER incorrectly

We are running IBM Cognos Business Intelligence Server 10.2.2 (no other extra software products) on WebSphere Application Server BASE version 8.5.5.2, both softwares on an AIX server version 7. We are trying to configure RSA SSO through basic HTTP authentication from WebSphere to Cognos. For authentication, We are using a custom authentication provider for both WebSphere and Cognos.

We are using two WAS profiles, one for running the Cognos Servlet Gateway (for patterns matching /ServletGateway/*) and the other for running the Content Manager and Reporting Services (for patterns matching /p2pd/servlet/dispatch).

After editing and deploying the Cognos CJAP jar (custom java authentication provider) and doing the changes to .../war/gateway/web.xml and .../war/gateway/application.xml.template, building new application EARs and deploying them, login works just fine... I am challenged for username and password, entering the correct credentials will log the user into the cognos portal. When viewing the http header, as expected, Remote_User is null.

Things go wrong when we attempt to enable SSO. In WebSphere, we enable global security, setup the certs between the two profiles, etc.. and after doing so, Remote_User is not populating.

Community
  • 1
WR Aldrich
  • 21
  • 3

2 Answers2

0

When viewing the SSL certificates in the websphere console, we noticed the fingerprints of various certs were not the same. When the same cert was viewed in both WAS profile's consoles the fingerprints did not match.

So it appears global security is not working between the two WAS profiles. After much research we came across this IBM Technote. PM86382: Using RSA Authentication

"When Hardware Crypto is used with administrative authentication set to RSA (which is the default in Base Appserver environment only) administrative tasks such as app deployments etc., fail."

By following the technote, we switched authentication to LPTA , issued new certs and redid the websphere profile configuration. After a restart, SSO is now working and the userid is properly populating into the HTTP Header variable "Remote_User"

WR Aldrich
  • 21
  • 3
0

I am the author of the question you linked to, I'm not yet allowed to comment so I must post this on an answer. Do you believe the certificate reload solution could work if we use a single profile? We use one single profile for everything since we have the ND edition of WebSphere, we just use two different app servers to keep the dispatcher and gateway apps separated.

RAKK
  • 151
  • 1
  • 8